Penetration scan and TLS cyphers.

paulororke · May 9, 2025, 8:57pm

Hi,

I have seen a few references here to the use of

tls-version=only-1.2

to manage the TLS versions used. I have an RB 3011 as a gateway to our office LAN and a third party has been engaged to do penetration scans (Kali Linux based) on the site.

I am attempting to address this point:

2.1.1 Medium 443/tcp

Medium (CVSS: 5.9)

NVT: SSL/TLS: Report Weak Cipher Suites

Product detection result
cpe:/a:ietf:transport_layer_security
Detected by SSL/TLS: Report Supported Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.
→֒802067)

Summary
This routine reports all weak SSL/TLS cipher suites accepted by a service.

Quality of Detection (QoD): 98%

Vulnerability Detection Result
‘Weak’ cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_RSA_WITH_RC4_128_SHA
‘Weak’ cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_RSA_WITH_RC4_128_SHA
‘Weak’ cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_SHA

Impact
This could allow remote attackers to obtain sensitive information or have other, unspeci ed
impacts.

Solution:
Solution type: > Mitigation
The configuration of this services should be changed so that it does not accept the listed weak
cipher suites anymore.
Please see the references for more resources supporting you with this task.

Should issuing the command:

 > ip service set api-ssl tls-version=only-1.2

not limit things to only use TLS1.2? After issuing the command and rescanning the report does not change. I even rebooted the router.

Am I missing something fundamental here? What is the correct approach to preventing the use of those older ‘Weak’ cipher suites in TLS1.0 and 1.1?

I guess ideally I should use only TLS1.3 to pass this test. Can the be done another way, other than the tls-version command?

jvanhambelgium · May 10, 2025, 6:01am

side-question ; you have Webfig interface available from/for the whole office LAN than ? I assume the pen-test is “internal” so on the LAN itself.
You don’t have it narrowed down to eg. 1 or 2 management-stations that can connect to your 3011 ?
Use Winbox ?

tangent · May 10, 2025, 6:21am

Your pen tester is not checking just the REST API, they are checking from the root of the site, which is served by:

/ip service set www-ssl tls-version=only-1.2

Separate service, separate setting.

If you only want the REST API and no WebFig, then disable both www and www-ssl.

infabo · May 12, 2025, 1:29pm

According to docs, either www-ssl or www service need to be enabled for REST API.

see https://help.mikrotik.com/docs/spaces/ROS/pages/47579162/REST+API

paulororke · May 12, 2025, 3:01pm

Thanks for this.

I see, api-ssl and www-ssl are discrete.

The pen test is from outside and should not be hitting my internal anything as far as I understand.

Before the test I had

after running

ip service set www-ssl tls-version=only-1.2

I get

So I will have them run the test again.

One question - why would the pen test be reporting on services that are disabled?

Very much appreciated guys. I’ll let you know how it goes if you are interested.

cheers

paulororke · May 12, 2025, 4:29pm

I am still getting the same pen test results.

I was confused as to why port 443 was even coming up, then remembered that I have some SSTP based VPN’s available that use 443.

Can I specify the TLS version for use in an SSTP set up?

Amm0 · May 12, 2025, 4:46pm

There is setting to enable tls-1.2-only on the SSTP interface.

/interface/sstp-server/server/set tls-version=only-1.2

It’s also in winbox, from PPP on left, then “SSTP Server” button, you’ll see the same option.

Amm0 · May 12, 2025, 4:49pm

Also note, in the upcoming 7.19 release, there is newer feature that will show all open ports (similar to netstat) in /ip/services. This would help to identify WHICH process might be using something like 443 in future.

paulororke · May 12, 2025, 9:59pm

Thanks for this. Very much appreciate.

I have to confess to being a “Jack of all Trades” in IT. Unfortunately that also means “Master of none”, and security is not my strong suit.

I have now added only1.2 to the SSTP as suggested but the scan report of old cyphers being used persists.

I have a port forward to a Windows server that someone else manages. I will have that admin try limiting things to 1.2 and see if that helps.

Perhaps the issue is not the router at all and I have been barking up the wrong tree.

Regardless, it is good to limit the cyphers on the router, so this has not exactly been a waste of time.

Your help is very much appreciated.